Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Two conditions for Lookup

DanielAmlung
Explorer
‎01-04-2021 07:18 AM

Hi,

iam stuck with a problem where i need help from you guys. I have a search that runs IDs against a lookup to determine if that ID is from Production or Test Environment. Problem is: some IDs are double, means they exist in Prod and in Test. So when I search and hit one of those IDs they count against Prod and against Test. So i wanted to filter for two conditions that must be met - First would be the specific ID and second would be the environment. I cant get that to work, is there any way to select two conditions that must be met before the lookup give back an result?

I appreciate any feedback 🙂

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DanielAmlung
Explorer
‎01-28-2021 04:00 AM

Fixed it

 

/close

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DanielAmlung
Explorer
‎01-28-2021 04:00 AM

Fixed it

 

/close

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎01-04-2021 08:12 PM

lookup command takes as many conditions as needed

| lookup lookup_file id environment

that means you have to provide environment as a constraint to the lookup - is that what you mean?

you example indicates you are trying to determine if the id is test or prod, but if it returns both, is that not a valid response? What are you intending to do with the answer to the lookup?

 

 

 

0 Karma
Reply
Solved! Jump to solution

DanielAmlung
Explorer
‎01-04-2021 11:48 PM

 

Hi, thats what i tried. But then i get a multi value field "environment" back which contains both prod and test. I could split that into two fields, but in the summary its wrong because than i have 6 prod events insted of 3.

Idea behind this is: we have a system that calls for specific functions. Every call is tied to an ID, but since they also test the system it can happen that this id is valid both in prod and test. So when i create a search that queries only for calls from a specific id within the prod environment, i get douple results.  Because the id is both found in prod and test. So i wanted to filter for two conditions first one would be the id and second one would be the environment. But that need to happen within the lookup statement and not after wards.

 

Example search with mvexpand:

index=XX  sourcetype=iis

NOT cs_User_Agent=performanceTester cs_uri_stem="*datapoints*values/*" 

| search XXid=XX475 

| lookup local=true lkp_XX_ids_kv XXId AS xx_id  OUTPUTNEW SourceSystemName as source_system Environment

| mvexpand Environment

|search Prod

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...